Reference » Services » LDAP Sync

LDAP Sync imports corporate Active Directory or POSIX LDAP structure into the Conjur environment. It extracts user and group identities from an existing, standard directory server so they can be incorporated into Conjur’s security infrastructure. Conjur recognizes and assimilates LDAP naming conventions so users and groups can be manipulated and managed by Conjur.

LDAP Sync is a one-way process with a read-only connection to the LDAP server. Any Conjur-based directory-management functions and modifications have no effect on the original LDAP database or user information. But specified changes or adjustments to the original LDAP naming model are integrated into the Conjur environment with each new synchronization. The sync retains LDAP-hierarchical information about groups and members.

Functional Overview

Conjur initiates a secure connection to the LDAP directory via a Conjur service that functions as an Authentication Proxy for LDAP communication. Sync parameters are established with a filtering mechanism for user and group accounts, so sync updates can be applied as needed. Likewise, directory attributes for mapping are defined prior to running the sync. Conjur tests the connection and the search criteria to confirm their accuracy before the synchronization is actually run.

Once the sync configuration is confirmed, security administrators can run an ad-hoc sync to load the users and groups into Conjur. In addition, they can also schedule a sync to occur on a regular basis, using an API to standard standard schedulers such as Cron, RunDeck, or a periodic Jenkins job.

Configuring LDAP Sync

LDAP Sync is configured in the Conjur UI. After configuration, a Conjur Policy is generated that can then be loaded into Conjur.

The remainder of this section illustrates how to configure LDAP Sync in the Conjur UI.

First, log into the Conjur UI dashboard and click on the settings icon in the top right-hand corner.

Select LDAP Sync.

1. Connect

Create a connection to an existing LDAP/AD installation.

Fields

  • Connection type: Unencrypted, SSL, or TLS. Use this setting to control if encryption is used to communicate with the directory server.
    If using SSL or TLS you must provide a PEM-formatted certificate in the SSL/TLS Certificate field. Note that this field is only visible if SSL or TLS is selected. Paste the contents of your certificate PEM into the field. The certificate may be a self-signed or signed by a CA. Ensure the configured hostname matches the certificate for successful connections.
  • Server & port: Hostname or IP address and port of your directory server.
  • Base DN: Distinguished Name (DN) of the starting point for directory server searches.
  • Bind DN: Distinguished Name (DN), including common name (CN), of a directory user account that has privileges to search for users.
  • Search password: Password that corresponds to the user specified by Bind DN.

All fields for this step are required.

Click the Connect button to test the connection. On successful connection 2. Configure will be shown.

2. Configure

Narrow the sync search results and find specific users and groups to be imported, specifying which attributes to sync to Conjur.

The Conjur UI employs standard LDAP RFC strings for filtering searches. For filtering details consult with your LDAP/AD admin team, and refer to the Microsoft Developer Network for search-filter syntax information.

Please Note: Users need to be members of a selected group in order to be synced with Conjur. Users not part of a selected group will be dropped.

Fields

  • User filter: Object Class (OC) of users to sync.
  • Group filter: Object Class (OC) of groups to sync.
  • User login: Attribute that maps to a user login name.
  • UID number: Attribute that maps to a user ID, optional.
  • SSH public key: Attribute that maps to user public SSH key, optional.
  • Group name: Attribute that maps to group name.
  • GID: Attribute that maps to group ID, optional.

Click the Test Configuration button to view the results of a directory search based on the filters that you entered. If the search results look incorrect, modify your filters and click Test Configuration Again to execute a new search. Repeat this process until the results are correct. Once you are satisfied with the search results, click the Save & Schedule button to save your settings. This will take you to the last step, 3. Sync.

3. Sync

Connection and filter settings have now been saved.

Trigger a sync by generating a Conjur Policy and loading it with the Conjur CLI. Output will look similar to this:

$ conjur ldap-sync policy show | tee ldap-sync.yml
---
- !user
  annotations:
    ldap-sync/source: 172.17.0.3:389
    ldap-sync/upstream-dn: cn=Lucy Banks,dc=example,dc=org
  id: Lucy Banks
  owner: !group
    id: conjur/ldap-sync
  uidnumber: 4
- !group
  annotations:
    ldap-sync/source: 172.17.0.3:389
    ldap-sync/upstream-dn: cn=_IT-OPS_,dc=example,dc=org
  gidnumber: 10011
  id: _IT-OPS_
  owner: !group
    id: conjur/ldap-sync
- !grant
  member:
  - !member
    admin: false
    role: !user
      id: Lucy Banks
  - !member
    admin: true
    role: !group
      id: "/conjur/ldap-sync"
  replace: true
  role: !group
    id: _IT-OPS_

$ conjur elevate policy load ldap-sync.yml
Authenticating thomas
Create user 'Lucy Banks'
  Set annotation 'ldap-sync/source'
  Set annotation 'ldap-sync/upstream-dn'
Create group '_IT-OPS_'
  Set annotation 'ldap-sync/source'
  Set annotation 'ldap-sync/upstream-dn'
Grant group '_IT-OPS_' to user 'Lucy Banks'
{"conjur:user:Lucy Banks":"zxp4wj11f5zfsrvzyty3n1qczr3p4c7hw39rzsfq31kazc4vsqe7n"}

API keys of newly-created users are returned after the policy is loaded.

View the Conjur UI to see that all users and groups have been successfully synchronized to Conjur.

On this page